[WIP] Resource Identity

go.mod

@@ -282,17 +282,17 @@ require (
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/go-version v1.7.0
 	github.com/hashicorp/hcl/v2 v2.23.0
-	github.com/hashicorp/terraform-json v0.24.0
-	github.com/hashicorp/terraform-plugin-framework v1.14.1
+	github.com/hashicorp/terraform-json v0.24.1-0.20250314103308-f86d5e36f4ab
+	github.com/hashicorp/terraform-plugin-framework v1.15.0-beta.1
 	github.com/hashicorp/terraform-plugin-framework-jsontypes v0.2.0
 	github.com/hashicorp/terraform-plugin-framework-timeouts v0.5.0
 	github.com/hashicorp/terraform-plugin-framework-timetypes v0.5.0
 	github.com/hashicorp/terraform-plugin-framework-validators v0.17.0
-	github.com/hashicorp/terraform-plugin-go v0.26.0
+	github.com/hashicorp/terraform-plugin-go v0.27.0-alpha.1.0.20250325210248-fa8d1fe4306b
 	github.com/hashicorp/terraform-plugin-log v0.9.0
-	github.com/hashicorp/terraform-plugin-mux v0.18.0
-	github.com/hashicorp/terraform-plugin-sdk/v2 v2.36.1
-	github.com/hashicorp/terraform-plugin-testing v1.12.0
+	github.com/hashicorp/terraform-plugin-mux v0.19.0-alpha.1
+	github.com/hashicorp/terraform-plugin-sdk/v2 v2.37.0-beta.1
+	github.com/hashicorp/terraform-plugin-testing v1.13.0-beta.1
 	github.com/jmespath/go-jmespath v0.4.0
 	github.com/mattbaird/jsonpatch v0.0.0-20240118010651-0ba75a80ca38
 	github.com/mitchellh/copystructure v1.2.0

go.sum

@@ -652,10 +652,10 @@ github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/terraform-exec v0.23.0 h1:MUiBM1s0CNlRFsCLJuM5wXZrzA3MnPYEsiXmzATMW/I=
 github.com/hashicorp/terraform-exec v0.23.0/go.mod h1:mA+qnx1R8eePycfwKkCRk3Wy65mwInvlpAeOwmA7vlY=
-github.com/hashicorp/terraform-json v0.24.0 h1:rUiyF+x1kYawXeRth6fKFm/MdfBS6+lW4NbeATsYz8Q=
-github.com/hashicorp/terraform-json v0.24.0/go.mod h1:Nfj5ubo9xbu9uiAoZVBsNOjvNKB66Oyrvtit74kC7ow=
-github.com/hashicorp/terraform-plugin-framework v1.14.1 h1:jaT1yvU/kEKEsxnbrn4ZHlgcxyIfjvZ41BLdlLk52fY=
-github.com/hashicorp/terraform-plugin-framework v1.14.1/go.mod h1:xNUKmvTs6ldbwTuId5euAtg37dTxuyj3LHS3uj7BHQ4=
+github.com/hashicorp/terraform-json v0.24.1-0.20250314103308-f86d5e36f4ab h1:5Qpuprk76zkVEdTCtfoPjUc+1AeUxlgkF6sWTr7qLDs=
+github.com/hashicorp/terraform-json v0.24.1-0.20250314103308-f86d5e36f4ab/go.mod h1:sMKS8fiRDX4rVlR6EJUMudg1WcanxCMoWwTLkgZP/vc=
+github.com/hashicorp/terraform-plugin-framework v1.15.0-beta.1 h1:lX4qacaJc8dqUzEaOALeUW0Gvv0ACs9myvN1WQ4rRgU=
+github.com/hashicorp/terraform-plugin-framework v1.15.0-beta.1/go.mod h1:SNnBQzWTh3ydNHBJF8eLVHlm/2gu+RBG508LCfCSVwI=
 github.com/hashicorp/terraform-plugin-framework-jsontypes v0.2.0 h1:SJXL5FfJJm17554Kpt9jFXngdM6fXbnUnZ6iT2IeiYA=
 github.com/hashicorp/terraform-plugin-framework-jsontypes v0.2.0/go.mod h1:p0phD0IYhsu9bR4+6OetVvvH59I6LwjXGnTVEr8ox6E=
 github.com/hashicorp/terraform-plugin-framework-timeouts v0.5.0 h1:I/N0g/eLZ1ZkLZXUQ0oRSXa8YG/EF0CEuQP1wXdrzKw=
@@ -664,14 +664,14 @@ github.com/hashicorp/terraform-plugin-framework-timetypes v0.5.0 h1:v3DapR8gsp3E
 github.com/hashicorp/terraform-plugin-framework-timetypes v0.5.0/go.mod h1:c3PnGE9pHBDfdEVG9t1S1C9ia5LW+gkFR0CygXlM8ak=
 github.com/hashicorp/terraform-plugin-framework-validators v0.17.0 h1:0uYQcqqgW3BMyyve07WJgpKorXST3zkpzvrOnf3mpbg=
 github.com/hashicorp/terraform-plugin-framework-validators v0.17.0/go.mod h1:VwdfgE/5Zxm43flraNa0VjcvKQOGVrcO4X8peIri0T0=
-github.com/hashicorp/terraform-plugin-go v0.26.0 h1:cuIzCv4qwigug3OS7iKhpGAbZTiypAfFQmw8aE65O2M=
-github.com/hashicorp/terraform-plugin-go v0.26.0/go.mod h1:+CXjuLDiFgqR+GcrM5a2E2Kal5t5q2jb0E3D57tTdNY=
-github.com/hashicorp/terraform-plugin-mux v0.18.0 h1:7491JFSpWyAe0v9YqBT+kel7mzHAbO5EpxxT0cUL/Ms=
-github.com/hashicorp/terraform-plugin-mux v0.18.0/go.mod h1:Ho1g4Rr8qv0qTJlcRKfjjXTIO67LNbDtM6r+zHUNHJQ=
-github.com/hashicorp/terraform-plugin-sdk/v2 v2.36.1 h1:WNMsTLkZf/3ydlgsuXePa3jvZFwAJhruxTxP/c1Viuw=
-github.com/hashicorp/terraform-plugin-sdk/v2 v2.36.1/go.mod h1:P6o64QS97plG44iFzSM6rAn6VJIC/Sy9a9IkEtl79K4=
-github.com/hashicorp/terraform-plugin-testing v1.12.0 h1:tpIe+T5KBkA1EO6aT704SPLedHUo55RenguLHcaSBdI=
-github.com/hashicorp/terraform-plugin-testing v1.12.0/go.mod h1:jbDQUkT9XRjAh1Bvyufq+PEH1Xs4RqIdpOQumSgSXBM=
+github.com/hashicorp/terraform-plugin-go v0.27.0-alpha.1.0.20250325210248-fa8d1fe4306b h1:JCAO+OdLztQ6F2bZ8lU93u986UVQl2Y/HNz18/jg3b0=
+github.com/hashicorp/terraform-plugin-go v0.27.0-alpha.1.0.20250325210248-fa8d1fe4306b/go.mod h1:HFPb73wivXPZy5wMuE7T3WqFbpIj6R6q1svKnZsnMZo=
+github.com/hashicorp/terraform-plugin-mux v0.19.0-alpha.1 h1:WCzSBsp719WKEV/+j+4/o742paM0twYm7B84y7x8pOM=
+github.com/hashicorp/terraform-plugin-mux v0.19.0-alpha.1/go.mod h1:iKph9LFBiD4a33AJLgqg7IKSVg2kdlYvx0IRd+ys3Ig=
+github.com/hashicorp/terraform-plugin-sdk/v2 v2.37.0-beta.1 h1:Ia0jU/ZLzyfReSg4TMHq6ffYGCNCREzpSMBqswM71a0=
+github.com/hashicorp/terraform-plugin-sdk/v2 v2.37.0-beta.1/go.mod h1:fVJWDD6/eNOK0aG55CK5g8vTv3Ph9UD/dZztPPvFDgw=
+github.com/hashicorp/terraform-plugin-testing v1.13.0-beta.1 h1:YpdITO9pgpSVSBoxL9DqiOG/2/rUQtcnP6encYAtKd0=
+github.com/hashicorp/terraform-plugin-testing v1.13.0-beta.1/go.mod h1:2fJBV6Eim03FqxyaPbPW2qZadDbfD1+yj/tRnDHBjjI=
 github.com/hashicorp/terraform-registry-address v0.2.5 h1:2GTftHqmUhVOeuu9CW3kwDkRe4pcBDq0uuK5VJngU1M=
 github.com/hashicorp/terraform-registry-address v0.2.5/go.mod h1:PpzXWINwB5kuVS5CA7m1+eO2f1jKb5ZDIxrOPfpnGkg=
 github.com/hashicorp/terraform-svchost v0.1.1 h1:EZZimZ1GxdqFRinZ1tpJwVxxt49xc/S52uzrw4x0jKQ=

internal/acctest/configs.go

@@ -294,6 +294,11 @@ func ConfigAvailableAZsNoOptInDefaultExclude() string {
 	return ConfigAvailableAZsNoOptInExclude("usw2-az4", "usgw1-az2")
 }
 
+func ConfigAvailableAZsNoOptInDefaultExclude_RegionOverride(region string) string {
+	// Exclude usw2-az4 (us-west-2d) as it has limited instance types.
+	return ConfigAvailableAZsNoOptInExclude_RegionOverride(region, "usw2-az4", "usgw1-az2")
+}
+
 func ConfigAvailableAZsNoOptInExclude(excludeZoneIds ...string) string {
 	return fmt.Sprintf(`
 data "aws_availability_zones" "available" {
@@ -308,6 +313,22 @@ data "aws_availability_zones" "available" {
 `, strings.Join(excludeZoneIds, "\", \""))
 }
 
+func ConfigAvailableAZsNoOptInExclude_RegionOverride(region string, excludeZoneIds ...string) string {
+	return fmt.Sprintf(`
+data "aws_availability_zones" "available" {
+  region = %[2]q
+
+  exclude_zone_ids = ["%[1]s"]
+  state            = "available"
+
+  filter {
+    name   = "opt-in-status"
+    values = ["opt-in-not-required"]
+  }
+}
+`, strings.Join(excludeZoneIds, "\", \""), region)
+}
+
 // AvailableEC2InstanceTypeForAvailabilityZone returns the configuration for a data source that describes
 // the first available EC2 instance type offering in the specified availability zone from a list of preferred instance types.
 // The first argument is either an Availability Zone name or Terraform configuration reference to one, e.g.
@@ -565,6 +586,29 @@ resource "aws_subnet" "test" {
 	)
 }
 
+func ConfigVPCWithSubnets_RegionOverride(rName string, subnetCount int, region string) string {
+	return ConfigCompose(
+		ConfigAvailableAZsNoOptInDefaultExclude_RegionOverride(region),
+		fmt.Sprintf(`
+resource "aws_vpc" "test" {
+  region = %[3]q
+
+  cidr_block = "10.0.0.0/16"
+}
+
+resource "aws_subnet" "test" {
+  count = %[2]d
+
+  region = %[3]q
+
+  vpc_id            = aws_vpc.test.id
+  availability_zone = data.aws_availability_zones.available.names[count.index]
+  cidr_block        = cidrsubnet(aws_vpc.test.cidr_block, 8, count.index)
+}
+`, rName, subnetCount, region),
+	)
+}
+
 func ConfigVPCWithSubnetsEnableDNSHostnames(rName string, subnetCount int) string {
 	return ConfigCompose(
 		ConfigAvailableAZsNoOptInDefaultExclude(),

internal/acctest/knownvalue/account_id.go

@@ -0,0 +1,42 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package statecheck
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
+)
+
+var _ knownvalue.Check = accountID{}
+
+type accountID struct {
+}
+
+// CheckValue determines whether the passed value is of type string, and
+// contains a matching sequence of bytes.
+func (v accountID) CheckValue(other any) error {
+	otherVal, ok := other.(string)
+
+	if !ok {
+		return fmt.Errorf("expected string value for AccountID check, got: %T", other)
+	}
+
+	if a, e := otherVal, acctest.AccountID(context.Background()); a != e {
+		return fmt.Errorf("expected value %s for AccountID check, got: %s", e, a)
+	}
+
+	return nil
+}
+
+// String returns the string representation of the value.
+func (v accountID) String() string {
+	return "Who Knows"
+}
+
+func AccountID() knownvalue.Check {
+	return accountID{}
+}

internal/acctest/statecheck/expect_attribute_format.go

@@ -0,0 +1,60 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package statecheck
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-testing/statecheck"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
+)
+
+var _ statecheck.StateCheck = expectAttributeFormatCheck{}
+
+type expectAttributeFormatCheck struct {
+	base          Base
+	attributePath tfjsonpath.Path
+	format        string
+}
+
+func (e expectAttributeFormatCheck) CheckState(ctx context.Context, request statecheck.CheckStateRequest, response *statecheck.CheckStateResponse) {
+	resource, ok := e.base.ResourceFromState(request, response)
+	if !ok {
+		return
+	}
+
+	value, err := tfjsonpath.Traverse(resource.AttributeValues, e.attributePath)
+	if err != nil {
+		response.Error = err
+		return
+	}
+
+	otherVal, ok := value.(string)
+	if !ok {
+		response.Error = fmt.Errorf("expected string value for ExpectAttributeFormat check, got: %T", value)
+		return
+	}
+
+	expectedValue, err := populateFromResourceState(e.format, resource)
+	if err != nil {
+		response.Error = err
+		return
+	}
+
+	if otherVal != expectedValue {
+		response.Error = fmt.Errorf("expected value %s for ExpectAttributeFormat check, got: %s", expectedValue, otherVal)
+		return
+	}
+
+	return
+}
+
+func ExpectAttributeFormat(resourceAddress string, attributePath tfjsonpath.Path, format string) statecheck.StateCheck {
+	return expectAttributeFormatCheck{
+		base:          NewBase(resourceAddress),
+		attributePath: attributePath,
+		format:        format,
+	}
+}

internal/acctest/statecheck/expect_identity_regional_arn_format.go

@@ -0,0 +1,109 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package statecheck
+
+import (
+	"context"
+	"fmt"
+	"maps"
+	"slices"
+
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/statecheck"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
+	tfknownvalue "github.com/hashicorp/terraform-provider-aws/internal/acctest/knownvalue"
+)
+
+var _ statecheck.StateCheck = expectIdentityRegionalARNFormatCheck{}
+
+type expectIdentityRegionalARNFormatCheck struct {
+	base         Base
+	arnService   string
+	arnFormat    string
+	checkFactory func(service string, arn string) knownvalue.Check
+}
+
+func (e expectIdentityRegionalARNFormatCheck) CheckState(ctx context.Context, request statecheck.CheckStateRequest, response *statecheck.CheckStateResponse) {
+	resource, ok := e.base.ResourceFromState(request, response)
+	if !ok {
+		return
+	}
+
+	if resource.IdentitySchemaVersion == nil || len(resource.IdentityValues) == 0 {
+		response.Error = fmt.Errorf("%s - Identity not found in state. Either the resource does not support identity or the Terraform version running the test does not support identity. (must be v1.12+)", e.base.ResourceAddress())
+		return
+	}
+
+	if len(resource.IdentityValues) > 1 {
+		deltaMsg := createDeltaString(resource.IdentityValues, map[string]bool{"arn": true}, "actual identity has extra attribute(s): ")
+
+		response.Error = fmt.Errorf("%s - Expected %d attribute(s) in the actual identity object, got %d attribute(s): %s", e.base.ResourceAddress(), 1, len(resource.IdentityValues), deltaMsg)
+		return
+	}
+
+	attrPath := tfjsonpath.New("arn")
+	value, err := tfjsonpath.Traverse(resource.AttributeValues, attrPath)
+	if err != nil {
+		response.Error = err
+		return
+	}
+
+	arnString, err := populateFromResourceState(e.arnFormat, resource)
+	if err != nil {
+		response.Error = err
+		return
+	}
+
+	knownCheck := e.checkFactory(e.arnService, arnString)
+	if err = knownCheck.CheckValue(value); err != nil {
+		response.Error = fmt.Errorf("checking value for attribute at path: %s.%s, err: %s", e.base.ResourceAddress(), attrPath, err)
+		return
+	}
+}
+
+func ExpectIdentityRegionalARNFormat(resourceAddress string, arnService, arnFormat string) statecheck.StateCheck {
+	return expectIdentityRegionalARNFormatCheck{
+		base:       NewBase(resourceAddress),
+		arnService: arnService,
+		arnFormat:  arnFormat,
+		checkFactory: func(service string, arn string) knownvalue.Check {
+			return tfknownvalue.RegionalARNExact(service, arn)
+		},
+	}
+}
+
+func ExpectIdentityRegionalARNAlternateRegionFormat(resourceAddress string, arnService, arnFormat string) statecheck.StateCheck {
+	return expectIdentityRegionalARNFormatCheck{
+		base:       NewBase(resourceAddress),
+		arnService: arnService,
+		arnFormat:  arnFormat,
+		checkFactory: func(service string, arn string) knownvalue.Check {
+			return tfknownvalue.RegionalARNAlternateRegionExact(service, arn)
+		},
+	}
+}
+
+// createDeltaString prints the map keys that are present in mapA and not present in mapB
+func createDeltaString[T any, V any](mapA map[string]T, mapB map[string]V, msgPrefix string) string {
+	deltaMsg := ""
+
+	deltaMap := make(map[string]T, len(mapA))
+	maps.Copy(deltaMap, mapA)
+	for key := range mapB {
+		delete(deltaMap, key)
+	}
+
+	deltaKeys := slices.Sorted(maps.Keys(deltaMap))
+
+	for i, k := range deltaKeys {
+		if i == 0 {
+			deltaMsg += msgPrefix
+		} else {
+			deltaMsg += ", "
+		}
+		deltaMsg += fmt.Sprintf("%q", k)
+	}
+
+	return deltaMsg
+}